b'             Audit Report\n\n\n\n\nOIG-10-039\nAUDIT REPORT\nINFORMATION TECHNOLOGY: BPD Successfully Demonstrated\nRecovery of the Authentication Services-Fiscal Services CA System\n\nMay 11, 2010\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c Audit Report.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa63\n\n Results in Brief ............................................................................................... 3\n\n Background .................................................................................................... 3\n\n Finding .......................................................................................................... 4\n\n   BPD Successfully Demonstrated Disaster Recovery Capability for the\n   Authentication Service\xe2\x80\x93Fiscal Services CA System \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. ................. 4\n\n\nAppendices\n\n  Appendix      1:      Objective, Scope, and Methodology ...........................................7\n  Appendix      2:      Management Comments ...........................................................8\n  Appendix      3:      Major Contributors ...................................................................9\n  Appendix      4:      Report Distribution ................................................................. 10\n\nAbbreviations\n\n      BPD               Bureau of the Public Debt\n      CA                certificate authority\n      FMS               Financial Management Service\n\n\n\n\n                        INFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery                        Page 1\n                        of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0c         This page intentionally left blank.\n\n\n\n\nINFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery           Page 2\n of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0c                                                                                          Audit\nOIG\nThe Department of the Treasury\n                                                                                          Report\nOffice of Inspector General\n\n\n                        May 11, 2010\n\n\n                        Van Zeck, Commissioner\n                        Bureau of the Public Debt\n\n                        Our overall objective for this audit was to determine if the Bureau\n                        of the Public Debt (BPD) could successfully demonstrate disaster\n                        recovery capability for the Authentication Services\xe2\x80\x93Fiscal Services\n                        Certificate Authority (CA) system. To accomplish this objective, we\n                        observed the disaster recovery exercise held at BPD on January 27,\n                        2010, and reviewed the disaster recovery documentation for the\n                        exercise.\n\n                        We performed our fieldwork at BPD facilities in West Virginia on\n                        January 27, 2010. The audit was performed in accordance with\n                        generally accepted government auditing standards. 1 Our objective,\n                        scope, and methodology are described in appendix 1.\n\nResults In Brief\n                        We found that BPD successfully demonstrated disaster recovery\n                        capability for the Authentication Services\xe2\x80\x93Fiscal Services CA\n                        system in January 2010. BPD met exercise objectives by\n                        successfully recovering the system at an alternate location, testing\n                        the functionality of the certification authority, and restoring service\n                        at the primary location.\n\nBackground\n                        BPD\xe2\x80\x99s mission is to borrow the money needed to operate the\n                        federal government, account for the resulting debt, and provide\n                        reimbursable support services to federal agencies. BPD borrows by\n                        selling Treasury bills, notes, bonds, and savings bonds. BPD pays\n\n1\n    Government Accountability Office, Government Auditing Standards, GAO-07-731G (July 2007).\n\n                        INFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery          Page 3\n                        of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0c          interest to purchasers of those securities and redeems the\n          securities when the time comes to pay back the loans. Every time\n          BPD borrows or pays back money, it affects the outstanding debt\n          of the United States.\n\n          To manage its programs, BPD must ensure that reliable systems\n          and processes are in place for buying and transferring Treasury\n          securities. As of September 30, 2009 and 2008, federal debt\n          managed by BPD totaled about $11.9 trillion and $10.0 trillion,\n          respectively, primarily for moneys borrowed to fund the\n          government\xe2\x80\x99s operations. These balances consisted of\n          approximately (1) $7.6 trillion and $5.8 trillion of debt held by the\n          public as of September 30, 2009 and 2008, respectively, and (2)\n          $4.3 trillion and $4.2 trillion of intragovernmental debt holdings as\n          of September 30, 2009 and 2008, respectively. Total interest\n          expense on federal debt managed by BPD for fiscal years 2009 and\n          2008 was about $381 billion and $454 billion, respectively. BPD is\n          responsible for accounting for the public debt of the United States\n          and for providing timely and accurate reports on that debt.\n\n          Through its Franchise Services, BPD offers a wide range of\n          administrative and technology services, on a fully reimbursable\n          basis, to many other federal agencies. The Authentication\n          Services\xe2\x80\x93Fiscal Services CA system is one of these services; it\n          provides secure identification verification for devices and users for\n          BPD and other subscriber organizations. The system is maintained\n          and operated by BPD and Treasury\xe2\x80\x99s Financial Management Service\n          (FMS).\n\n\nFinding   BPD Successfully Demonstrated Disaster Recovery\n          Capability for the Authentication Services\xe2\x80\x93Fiscal\n          Services CA System\n          BPD successfully demonstrated disaster recovery capability for the\n          Authentication Services\xe2\x80\x93Fiscal Services CA system by activating\n          the backup system at the alternate facility within 4 hours of the\n          simulated failure of the primary system. In addition, FMS, in\n          coordination with BPD, conducted a functional test of the backup\n          system and determined that user certificates could be created and\n          managed on the backup system. Finally, BPD was able to restore\n          services to the primary system.\n\n          INFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery           Page 4\n           of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0cDuring the disaster recovery exercise, two issues presented\nobstacles to the system administrators, which were resolved during\nthe exercise.\n\n\xe2\x80\xa2   When first attempting to recover the system, BPD\n    administrators found that the hardware key stored at the\n    backup facility, which is necessary to start the backup system,\n    was not functional. The administrators were able to utilize an\n    additional backup key retrieved from offsite to continue the\n    recovery of the system. The location and availability of the\n    offsite key were documented in the system recovery plan.\n\n\xe2\x80\xa2   After the backup system was started, testing for functionality\n    was performed remotely by an FMS administrator. During the\n    tests, the FMS administrator encountered an error in creating a\n    new user certificate. The BPD system administrators determined\n    that the recovery software did not create a required directory.\n    They manually created the directory, and the FMS administrator\n    was able to successfully conclude functionality testing.\n\nWhile onsite at BPD\xe2\x80\x99s alternate facility, we also performed a limited\nassessment of physical security controls. We found that security at\nthe alternate facility site was adequate to protect the system.\n\nDuring our review of the after-action report prepared by BPD, we\nnoted that BPD had documented both of the issues noted above\nthat were encountered during the disaster recovery exercise.\nBecause neither issue prevented successful recovery and testing of\nthe system, and recovery was completed within the required\ntimeframe, we consider the test to be fully successful. As such,\nwe do not have recommendations to offer at this time.\n\nManagement Response. Management agreed with the conclusions\nin this report with regard to its disaster recovery capability for the\nAuthentication Services\xe2\x80\x93Fiscal Services CA system. BPD\xe2\x80\x99s formal\nresponse is in appendix 2.\n\nOIG Comment. We acknowledge and appreciate management\xe2\x80\x99s\nresponse.\n\n\n\n\nINFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery           Page 5\n of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0c                                 ******\n\nI would like to extend my appreciation to BPD for the cooperation\nand courtesies extended to my staff during the review. If you have\nany questions, please contact me at (202) 927-5171 or\nAbdirahman Salah, IT Audit Manager, Office of Information\nTechnology Audits, at (202) 927-5763. Major contributors to this\nreport are listed in appendix 3.\n\n\n/s/\n\nTram Jacquelyn Dang\nAudit Director\n\n\n\n\nINFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery           Page 6\n of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\nOur overall objective for this audit was to determine if the Bureau\nof the Public Debt (BPD) could successfully demonstrate the\ndisaster recovery capability for the Authentication Services\xe2\x80\x93Fiscal\nServices CA system. To accomplish this objective, we reviewed\nthe planning documentation related to the system and the specific\nexercise; observed the disaster recovery exercise held on January\n27, 2010, at BPD\xe2\x80\x99s alternate facility in West Virginia; met with the\nappropriate information technology personnel; and reviewed and\nanalyzed BPD\xe2\x80\x99s after-action report.\n\nWe also reviewed BPD\xe2\x80\x99s adherence to applicable criteria for\ndisaster recovery capability and demonstration of disaster recovery\ncapability. Specifically, we reviewed the following Office of\nManagement and Budget (OMB), National Institute of Standards\nand Technology (NIST), and Treasury policies, which served as\ncriteria for our audit:\n\n   \xe2\x80\xa2   OMB Memorandum M-09-29, \xe2\x80\x9cFY 2009 Reporting\n       Instructions for the Federal Information Security\n       Management Act and Agency Privacy Management\xe2\x80\x9d\n   \xe2\x80\xa2   NIST Special Publication 800-53, revision 2, \xe2\x80\x9cRecommended\n       Security Controls for Federal Information Systems\xe2\x80\x9d\n   \xe2\x80\xa2   NIST Special Publication 800-34, \xe2\x80\x9cContingency Planning\n       Guide for Information Technology Systems\xe2\x80\x9d\n   \xe2\x80\xa2   NIST Special Publication 800-84, \xe2\x80\x9cGuide to Test, Training,\n       and Exercise Programs for IT Plans and Capabilities\xe2\x80\x9d\n   \xe2\x80\xa2   Treasury Directive Publication 85-01, \xe2\x80\x9cTreasury Information\n       Technology Security Program Volume 1 Unclassified\n       Systems version 2.2.2.\xe2\x80\x9d\n\nThis audit was performed in accordance with generally accepted\ngovernment auditing standards. These standards require that we\nplan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. This audit was included\nin the Office of Inspector General Annual Plan for 2010. The\nresults of this audit may be used to support our work undertaken in\naccordance with the requirements of the Federal Information\nSecurity Management Act.\n\n\n\n\nINFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery           Page 7\n of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0cAppendix 2\nManagement Comments\n\n\n\n\nINFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery           Page 8\n of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0cAppendix 3\nMajor Contributors\n\n\nOffice of Information Technology Audits\n\nTram J. Dang, Director, Office of Information Technology Audit\nAbdirahman M. Salah, Information Technology Audit Manager\nGerald J. Steere, Information Technology Specialist\nShiela S. Michel, Referencer\n\n\n\n\nINFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery           Page 9\n of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0cAppendix 4\nReport Distribution\n\nBureau of the Public Debt\n\n   Commissioner\n\nDepartment of the Treasury\n\n   Office of Accounting and Internal Control\n   Office of Strategic Planning and Performance Management\n   Office of the Chief Information Officer\n\nOffice of Management and Budget\n\n   Office of Inspector General Budget Examiner\n\n\n\n\nINFORMATION TECHNOLOGY: BPD Successfully Demonstrated Recovery           Page 10\n of the Authentication Services\xe2\x80\x93Fiscal Services CA System (OIG-10-039)\n\x0c'